4.3
CVSSv2

CVE-2021-41773

Published: 05/10/2021 Updated: 25/10/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Most Upvoted Vulmon Research Post

PoC: 127.0.0.1/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http server 2.4.49

Vendor Advisories

Arch Linux Security Advisory ASA-202110-1 ========================================= Severity: Critical Date : 2021-10-21 CVE-ID : CVE-2021-42013 Package : apache Type : directory traversal Remote : Yes Link : securityarchlinuxorg/AVG-2450 Summary ======= The package apache before version 2451-1 is vulnerable to directory t ...
A flaw was found in a change made to path normalization in Apache HTTP Server 2449 An attacker could use a path traversal attack to map URLs to files outside the expected document root If files outside of the document root are not protected by "require all denied" these requests can succeed Additionally this flaw could leak the source of inter ...
On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities: CVE-2021-41524: Null Pointer Dereference Vulnerability CVE-2021-41773: Path Traversal and Remote Code Execution Vulnerability CVE-2021-42013: Path Traversal and Remote ...

Mailing Lists

Apache HTTP Server version 2449 suffers from a path traversal vulnerability ...
Hi Yann, Re [1], I think this: "critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2449 (CVE-2021-41773 <cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-41773>)" is still misleading and should read: "critical: Path traversal and *Remote Code Execution* vulnerability in Apache HTTP Server 2449  ...
Severity: critical Description: It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2450 was insufficient An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives If files outside of these directories are not protected by the usual default configuration " ...
Hi oss-security folks, Closing the loop on this one Will Dormann, Hacker Fantastic and I successfully managed to turn this into RCE on both Windows and Linux With mod_cgi (and maybe other similar extensions) enabled, Will showed he could get calc to pop on Windows and HF and I subsequently figured out how to trigger the bug on Linux to reach / ...
Thanks Yann, I'm happy you agree with my analysis It also seems to match the one by your colleage Stefan (that you referenced) I just wanted to clarify that the impact of both CVEs is exactly the same: RCE and/or arbitrary file read and/or none, depending on httpd config :-) There's no difference between Apache 2449 and 2450 in that regard ...
On Sat, Oct 9, 2021 at 8:00 PM Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote: I appreciate this nuance in your tweetS For completeness :) I'll note that most configs (default, vendors, distros) are not vulnerable to the RCE The removal of "<Directory/> require all denied" is an exploit httpd can do nothing about httpd p ...
On Fri, Oct 08, 2021 at 08:37:33PM +0200, Yann Ylavic wrote: Yann is probably referring to the full tweet thread by Roman, not just the one tweet that Roman posted in here Let me correct that: --- Román Medina-Heigl Hernández @roman_soft RCE exploit both for Apache 2449 (CVE-2021-41773) and 2450 (CVE-2021-42013): root@CT406:~# curl 'htt ...
Hi, I posted RCE exploit for this (it works for both CVEs: 41773 & 42013) and some other details regarding requirements / exploitability, which you may find useful at: twittercom/roman_soft/status/1446252280597078024 Excerpt (for the sake of ml-archive): RCE exploit both for Apache 2449 (CVE-2021-41773) and 2450 (CVE-2021-4201 ...

Github Repositories

cve-2021-41773-nse By George Labrin (@creadpag) Checks if Server is vulnerable to Apache 2449 CVE-2021-41773 POC Open your favorite Terminal and run these commands First Tab: mv cve-2021-41773nse /usr/share/nmap/scripts/ Second Tab: sudo nmap -Pn --script=cve-2021-41773nse XXXX -p X

cve-2021-41773-nse CVE-2021-41773nse

mass_cve-2021-41773 MASS CVE-2021-41773

CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Exploited On October 5, the Apache HTTP Server Project patched CVE-2021-41773, a path traversal and file disclosure vulnerability in Apache HTTP Server, an open-source web server for Unix and Windows that is among the most widely used web servers According to the security advisory, CVE-2021-41773 has been exploited

cve-2021-41773-nse #By George Labrin (@creadpag) Checks if Server is vulnerable to Apache 2449 CVE-2021-41773 POC Open your favorite Terminal and run these commands First Tab: mv cve-2021-41773nse /usr/share/nmap/scripts/ Second Tab: sudo nmap -Pn --script=cve-2021-41773nse XXXX -p X []

CVE-2021-41773 (Apache httpd) For educational purposes only See Reference for the details Run $ git clone githubcom/masahiro331/CVE-2021-41773git $ cd CVE-2021-41773 $ docker build -t cve-2021-41773 $ docker run -d -p 8080:80 cve-2021-41773 Exploit Exposed after first poc

Vulnerable docker images for CVE-2021-41773 Apache path traversal This vulnerabiltiy only applies to version 2449 that have specific non-default configs In certain situations this can result in either file read or code execution twittercom/ptswarm/status/1445376079548624899 Vulnerable file read config Containers can be pulled directly from Docker Hub using docker

Apache 2449 - Path Traversal or Remote Code Execution cve-2021-41773py is a python script that will help in finding Path Traversal or Remote Code Execution vulnerability in Apache 2449 Intensionally vulnerable instance of Docker is provided to get your hands dirty on CVE-2021-41773 If CGI-BIN is enabled than, we can perform Remote Code Execution but not Path Traversal, so

CVE-2021-41773 Hello guys, yesterday The new CVE-2021-41773 for apache 2449 verison is released So in this case, i want to explain about this apache vulnerability Playground So, I think you guys want to test this vulnerability in website So i have a playground place for you guys This is the website to download docker image of example apache 2449 Docker Image Note: there

CVE-2021-41773 复现 wwwtenablecom/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited v2449 apache 独有漏洞,早期版本中并没有 ap_normalize_path 这个函数,该函数是在v2449版本中引入的,正是这个函数导致了 目录穿越,在 v2450 被修复了 环境 githubcom/1nhann/CVE-2021-41773 root@ubun

cve-2021-41773-nse By George Labrin (@creadpag) Checks if Server is vulnerable to Apache 2449 CVE-2021-41773 POC Open your favorite Terminal and run these commands First Tab: mv cve-2021-41773nse /usr/share/nmap/scripts/ Second Tab: sudo nmap -Pn --script=cve-2021-41773nse XXXX -p X []

CVE-2021-41773 Path traversal and file disclosure vulnerability in Apache HTTP Server 2449 Usage python3 apache2-4-49py -h python3 apache2-4-49py --check --single examplecom Reference wwwtenablecom/blog/cve-2021-41773-path-traversal-zero-day-in-apache-http-server-exploited nvdnistgov/vuln/detail/CVE-2021-41773

lab-cve-2021-41773 Container lab to play/learn with CVE-2021-41773 docker build -t apache-lab $ docker run -dit --name apache-pt-app -p 81:80 apache-lab

CVE-2021-41773 Path traversal in Apache HTTP Server 2449 (CVE-2021-41773) For educational purposes only Test Set up the PoC environment $ docker build -t cve-2021-41773 $ docker run --rm -dit -p 8000:80 cve-2021-41773 Confirm it works $ curl localhost:8000 <html><body><h1>It works!&

CVE-2021-41773 - Apache HTTP Server 2449 Cara Menjalankan Lab CVE-2021-41773-Path Traversal Install dan jalankan Docker di PC/Laptop anda Clone github repo ini Pergi ke folder Path Traversal Masukan perintah sebagai berikut docker build -t cve-2021-41773-path-traversal dan docker run --rm -dit -p 8888:80 cve-2021-41773-path-traversal Akses menggunakan browser dengan mengun

CVE-2021-41773-PoC PoC for CVE-2021-41773 with docker to demonstrate Run Just run /pocsh Make sure you have working docker and docker-compose $ /pocsh Creating network "cve-2021-41773-poc_default" with the default driver Creating cve-2021-41773-poc_web_1 done root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/u

CVE-2021-41773 scanner This script tests for the path traversal and local file inclusion vulnerability in Apache version 2429, this script doesn't return local files, it merely scans the web server and tells you if it's vulnerable or not Usage: python3 cve-2021-41773-scannerpy

Go语言自研安全工具 本项目用于记录自己使用Go语言开发的一些小型的安全相关工具。作者不会对程序添加任何形式的后门,程序不会对系统产生任何的破坏。但工具仅适用于甲方自查或乙方在授权的情况下进行测试。请各位师傅放心使用,风险自担。本人太菜,代码写的太烂,所有程序

Usage file ip-portstxt: 1111:80 node CVE-2021-41773js ip-portstxt

CVE-2021-41773py Apache 2449 Path Traversal

php Thinkphp Apache CVE-2021-41773 oa landray_oa(蓝凌oa) 前台任意文件读取 seeyon_oa(致远oa) yonyou(用友) 用友NC BeanShell RCE php Thinkphp Apache CVE-2021-41773 影响版本 Apache HTTP SERVER 2449 参考 oa landray_oa(蓝凌oa) 前台任意文件读取 seeyon_oa(致远oa) yonyou(用友) 用友NC BeanShell RCE 影响版本 用友NC65 参考

CVE-2021-41773 Path traversal in Apache HTTP Server 2449 (CVE-2021-41773) Use docker-compose up -d Payload /cgi-bin/%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

CVE-2021-41773 Apache 2449 Path Traversal Vulnerability Disclaimer This project is meant for fellow researchers with good-will to assess their targets Please do not use it for malicious intent Scripts are not well tested so use it at your own risk Description This directory contains two scripts that can be used to enumerate if the targets available in shodan are vulnerab

CVE-2021-41773 Mass exploitation CVE-2021-41773 and auto detect possible RCE

CVE-2021-41773 Path Traversal vulnerability in Apache 2449

CVE-2021-41773

One-Liner-Scripts A collection of awesome one-liner scripts especially for bug bounty Finding XSS echo "targetcom" | waybackurls | httpx -silent | Gxss -c 100 -p Xss | grep "URL" | cut -d '"' -f2 | sort -u | dalfox pipe Finding OpenRedirect waybackurls targetcom | grep -a -i \=http | qsreplace 'h

POC CVE-2021-41773

CVE-2021-41773 Exploitation of CVE-2021-41773 a Directory Traversal in Apache 2449

CVE-2021-41773

CVE-2021-41773 Apache 2449 Path Traversal Vulnerability Checker Example Platform Linux & Windows

CVE-2021-41773 CVE-2021-41773 POC with Docker

CVE-2021-41773-RCE

CVE-2021-41773 Path traversal and file disclosure vulnerability in Apache HTTP Server 2449 This script test Apache HTTP Server 2449 Usage: CVE-2021-41773py options Only for one IP: python CVE-2021-41773py IP_address Option -f For IP list in file Example: python CVE-2021-41773py -f IP_address_list_filename Option -s For IP subnet Example: python CVE-2021-41773py -s 192

CVE-2021-41773 Apache HTTP Server 2449, 2450 - Path Traversal & RCE

CVE-2021-41773 Poc CVE-2021-41773 - Apache 2449 with CGI enabled Usage : chmod -x CVE-2021-41773sh /CVE-2021-41773sh ip:port/ /etc/passwd References nvdnistgov/vuln/detail/CVE-2021-41773 cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-41773>

CVE-2021-41773 Apache 2449

CVE-2021-41773 Playground This is a small Docker recipe for setting up a Debian bookworm based container with an instance of the Apache HTTPd (2449) that is vulnerable to CVE-2021-41773 CGI has been explicitly enabled so it can be used to test/verify Local file Disclosure behavior as well as Remote Command Execution behavior Usage $ docker-compose build && d

cve-2021-41773

CVE-2021-41773 Apache HTTPd (2449) – Local File Disclosure (LFI)

CVE-2021-41773 Path Traversal in Apache HTTP Server 2449 Résumé Une vulnérabilité a été découverte sur la version 2449 de apache Cette vulnérabilité permet une attaque LFI (Local File Inclusion) permettant de lire le contenu de fichiers normalement innaccessible Dans la configuration par défaut, l'

Simple CVE-2021-41773 checker Simple script realizado en bash, para revisión de múltiples hosts para CVE-2021-41773 (Apache) [+] Uso: /CVE-2021-41773sh hoststxt

The 1978 UNIX v7 UUCP chkpth() bug Unix v7 UUCP had a bug in the chkpth() code There was a bug in UUCP way-way-back in the late 70's and early 80's within the original UUCP code included in Unix v7 and it's newer derived versions CVE-2021-41773 The bug lives on in the recent CVE-2021-41773 (CVE == Common Vulnerabilities and Exposures) It's fully explain

CVE-2021-41773 Path traversal and file disclosure vulnerability in Apache HTTP Server 2449 This script test Apache HTTP Server 2449 Usage: CVE-2021-41773py options Only for one IP: python CVE-2021-41773py IP_address Option -f For IP list in file Example: python CVE-2021-41773py -f IP_address_list_filename Output python CVE-2021-41773py AAABBBCCCDDD Server AAABBBC

CVE-2021-41773 This is my first time trying to make an exploit for something sobe nice [*] Exploit Title: Apache HTTP Server 2449 Path Traversal [*] Author: 0xRar , 0xrarnet [*] CVE: CVE-2021-41773 [*] Version: Apache 2449 [*] Not Tested Yet Help Command: python3 exploitpy -h

PATCH-CVE-2021-41773

CVE-2021-41773 Path traversal in Apache HTTP Server 2449 (CVE-2021-41773)

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773 Description (cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-41773) A flaw was found in a change made to path normalization in Apache HTTP Server 2449 An attacker could use a path traversal attack to map URLs to files outside the expected document root If files outside of the doc

CVE-2021-41773 PoC CVE-2021-41773 httpdapacheorg/security/vulnerabilities_24html cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-41773 Window GET /cgi-bin/%2e/%2e%2e/%2e%2e/%2e%2e/windows/winini HTTP/10 Host: localhost User-Agent: Mozilla/50 (Windows NT 100; Win64; x64; rv:520) Gecko/20100101 Firefox/520 Cyberfox/5291 Accept: text/html,application/xh

apache_path_traversal This is a PoC for the directory traversal apache vulnerability CVE-2021-41773 that supports multiple hosts Usage : python3 poc_CVE-2021-41773py hoststxt

CVE-2021-41773 This a simple poc for Apache/2449 Path Traversal Vulnerability

CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" python3 apache_path_traversalpy -l urls-listtxt

CVE-2021-41773 POC

cve-2021-41773_2021-42013 mass scan for apache 2449/2450 vulnerability

cve-2021-41773_2021-42013 mass scan for apache 2449/2450 vulnerability

CVE-2021-41773 Quick proof of concept The script check for LFI and RCE in Apache 2449, you can test a single target or a list Make sure you specify HTTP or HTTPS for a single target Test only if you're authorized, be smart Example usage: python3 cve2021-41773py -target DOMAIN/IP -protocol HTTP/HTTPS -file domain_listtxt

Apache (CVE-2021-41773, CVE-2021-42013) Vulnerability Checker cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-41773 cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-42013 Using GNU Parallel You must have parallel for using this tool Install Parallel Linux : apt-get install parallel -y Windows : stackoverflowcom/questions/52393850/how-to-install-gnu-para

CVE-2021-41733_PoC CVE-2021-41773 - Path Traversal and RCE in Apache HTTP Server 2449 PoC

apache-httpd-path-traversal-checker apache httpd path traversal checker(CVE-2021-41773 / CVE-2021-42013)

What is EzpzShell? Collection Of Reverse Shell that can easily generate using different Programming Language Currently only python3 is fully updated and others still in development This repo is for my own educational purpose and I would like to refer back in future Thank you! Disclaimer: Do not use this script for illegal use Any action you take upon the information on this

CVE-2021-41773 CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Exploited Apache HTTP Server CVE-2021-41773 Exploited in the Wild CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2449 and 2450 (incomplete fix of CVE-2021-41773) Shodan oneliner shodan search Apache Server 2449 | awk '{print $1":"$2}' | while

CVE-2021-41773 A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2449 (CVE-2021-41773) and 2450 (CVE-2021-42013) References httpdapacheorg/security/vulnerabilities_24html#CVE-2021-41773 httpdapacheorg/security/vulnerabilities_24html#CVE-2021-42013 blogsonatypecom/apache-servers-actively-exploited-in-wild-importa

Apache HTTP Server 2449, 2450 - Path Traversal & RCE Exploit Author: Lucas Souza lsassio Vendor Homepage: apacheorg/ Version: 2449, 2450 Tested on: 2449, 2450 CVE : CVE-2021-41773, CVE-2021-42013 Credits: Ash Daulton and the cPanel Security Team Usage /PoCsh targetstxt /etc/passwd /PoCsh targetstxt /bin/sh "id"

CVE-2021-41773_CVE-2021-42013 CVE-2021-41773 CVE-2021-42013多线程漏洞批量检测与利用工具 简介 本工具只可用于安全测试,勿用于非法用途! 工具定位 CVE-2021-41773 CVE-2021-42013多线程漏洞批量检测与利用工具 工具截图 提交反馈 如有好的建议,以及发现BUG。 GitHub issue: githubcom/inbug-team/CVE-2021-41773

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

Recent Articles

Brewdog might make an OK pint but its security sucks: Flaw opened door to free beers for anyone
The Register • Iain Thomson in San Francisco • 11 Oct 2021

Get our weekly newsletter Plus two failings this week at Apache and Twitch and nostalgia for Flash fans

In brief Hipster beer maker Brewdog has been caught out by a basic, but potentially very expensive, security problem, and the team that discovered it says the Scottish tipple-merchant's response was hardly encouraging.
Research by security shop Pen Test Partners found that the Brewdog mobile app used the same hard-coded API Bearer Token to log in every single customer on their mobiles. This would allow anyone to access and use other people's accounts, including 200,000 "Equity for Punks" s...

Apache emergency update fixes incomplete patch for exploited bug
BleepingComputer • Lawrence Abrams • 07 Oct 2021

Apache Software Foundation has released HTTP Web Server 2.4.51 after researchers discovered that a previous security update didn't correctly fix an actively exploited vulnerability.
Apache HTTP Server is an open-source, cross-platform web server that powers approximately
.
 On Tuesday, Apache released Apache HTTP 2.4.50 to 
 in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server.
...

Running a recent Apache web server version? You probably need to patch it. Now
The Register • Richard Speed • 06 Oct 2021

Get our weekly newsletter Unless you want to leak like a sieve

The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited.
Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great. The latter, a path traversal and file disclosure flaw, is particularly problematic.
The former was reported to Apache's security team on 17 September and can be exploited by an external source to DoS a server ...

Actively exploited Apache 0-day also allows remote code execution
BleepingComputer • Ax Sharma • 06 Oct 2021

Proof-of-Concept (PoC) exploits for the Apache web server zero-day surfaced on the internet revealing that the vulnerability is far more critical than originally disclosed.
These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution (RCE) abilities.
Apache remains one of the most popular web servers of choice with over a
.
The path traversal vulnerability in Apache's HTTP server,
by BleepingComputer...

Apache Web Server Zero-Day Exposes Sensitive Data
Threatpost • Tara Seals • 05 Oct 2021

Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The vulnerability is under active exploitation in the wild, it said, and could allow attackers to access sensitive information.
According to a security advisory issued on Monday, the issue (CVE-2021-41773) could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized people to access files on a web server, b...

References

CWE-22https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f@%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r98d704ed4377ed889d40479db79ed1ee2f43b2ebdd79ce84b042df45@%3Cannounce.apache.org%3Ehttp://www.openwall.com/lists/oss-security/2021/10/05/2http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal.htmlhttp://www.openwall.com/lists/oss-security/2021/10/07/1http://packetstormsecurity.com/files/164418/Apache-HTTP-Server-2.4.49-Path-Traversal-Remote-Code-Execution.htmlhttps://lists.apache.org/thread.html/r7c795cd45a3384d4d27e57618a215b0ed19cb6ca8eb070061ad5d837@%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rb5b0e46f179f60b0c70204656bc52fcb558e961cb4d06a971e9e3efb@%3Cusers.httpd.apache.org%3Ehttp://www.openwall.com/lists/oss-security/2021/10/07/6https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-pathtrv-LAzg68cZhttp://www.openwall.com/lists/oss-security/2021/10/08/1https://lists.apache.org/thread.html/r17a4c6ce9aff662efd9459e9d1850ab4a611cb23392fc68264c72cb3@%3Ccvs.httpd.apache.org%3Ehttp://www.openwall.com/lists/oss-security/2021/10/08/2http://www.openwall.com/lists/oss-security/2021/10/08/4http://www.openwall.com/lists/oss-security/2021/10/08/3http://www.openwall.com/lists/oss-security/2021/10/08/6http://www.openwall.com/lists/oss-security/2021/10/08/5http://www.openwall.com/lists/oss-security/2021/10/09/1http://www.openwall.com/lists/oss-security/2021/10/11/4https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMIIEFINL6FUIOPD2A3M5XC6DH45Y3CC/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS5RVHOIIRECG65ZBTZY7IEJVWQSQPG3/http://www.openwall.com/lists/oss-security/2021/10/15/3http://www.openwall.com/lists/oss-security/2021/10/16/1http://packetstormsecurity.com/files/164629/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution.htmlhttps://www.theregister.co.uk/2021/10/06/apache_web_server_data_patch/https://github.com/creadpag/CVE-2021-41773-POChttps://nvd.nist.govhttps://threatpost.com/apache-web-server-zero-day-sensitive-data/175340/https://security.archlinux.org/ASA-202110-1https://security.archlinux.org/CVE-2021-41773